X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=src%2Fanalysisd%2Frules.h;h=03204cfcfb7e8ad8aa0e4cbd6631b99948236f58;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hp=c61df285961b84df66b5e48d4eb7112101784e55;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/analysisd/rules.h b/src/analysisd/rules.h index c61df28..03204cf 100755 --- a/src/analysisd/rules.h +++ b/src/analysisd/rules.h @@ -1,11 +1,12 @@ -/* @(#) $Id: rules.h,v 1.41 2009/06/24 17:06:22 dcid Exp $ */ +/* @(#) $Id: ./src/analysisd/rules.h, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ @@ -18,6 +19,8 @@ #include "shared.h" #include "active-response.h" +#include "lists.h" + /* Event context - stored on a uint8 */ #define SAME_USER 0x001 /* 1 */ @@ -27,6 +30,7 @@ #define DIFFERENT_URL 0x010 /* */ #define SAME_SRCPORT 0x020 #define SAME_DSTPORT 0x040 +#define SAME_DODIFF 0x100 #define NOT_SAME_USER 0xffe /* 0xfff - 0x001 */ #define NOT_SAME_SRCIP 0xffd /* 0xfff - 0x002 */ #define NOT_SAME_ID 0xffb /* 0xfff - 0x004 */ @@ -36,12 +40,41 @@ #define DO_FTS 0x001 #define DO_MAILALERT 0x002 #define DO_LOGALERT 0x004 +#define NO_AR 0x008 #define NO_ALERT 0x010 #define DO_OVERWRITE 0x020 #define DO_PACKETINFO 0x040 #define DO_EXTRAINFO 0x100 #define SAME_EXTRAINFO 0x200 +#define RULE_MASTER 1 +#define RULE_SRCIP 2 +#define RULE_SRCPORT 4 +#define RULE_DSTIP 8 +#define RULE_DSTPORT 16 +#define RULE_USER 32 +#define RULE_URL 64 +#define RULE_ID 128 +#define RULE_HOSTNAME 256 +#define RULE_PROGRAM_NAME 512 +#define RULE_STATUS 1024 +#define RULE_ACTION 2048 + + +#define RULEINFODETAIL_TEXT 0 +#define RULEINFODETAIL_LINK 1 +#define RULEINFODETAIL_CVE 2 +#define RULEINFODETAIL_OSVDB 3 +#define RULEINFODETAIL_BUGTRACK 4 + +#define MAX_RULEINFODETAIL 32 + +typedef struct _RuleInfoDetail +{ + int type; + char *data; + struct _RuleInfoDetail *next; +}RuleInfoDetail; typedef struct _RuleInfo { @@ -62,7 +95,7 @@ typedef struct _RuleInfo int __frequency; char **last_events; - + /* Not an option in the rule */ u_int16_t alert_opts; @@ -72,7 +105,7 @@ typedef struct _RuleInfo /* category */ u_int8_t category; - + /* Decoded as */ u_int16_t decoded_as; @@ -94,7 +127,7 @@ typedef struct _RuleInfo /* Function pointer to the event_search. */ void *(*event_search)(void *lf, void *rule); - + char *group; OSMatch *match; @@ -116,11 +149,13 @@ typedef struct _RuleInfo OSMatch *program_name; OSMatch *extra_data; char *action; - + char *comment; /* description in the xml */ char *info; char *cve; - + RuleInfoDetail *info_details; + ListRule *lists; + char *if_sid; char *if_level; char *if_group; @@ -128,7 +163,7 @@ typedef struct _RuleInfo OSRegex *if_matched_regex; OSMatch *if_matched_group; int if_matched_sid; - + void *(*compiled_rule)(void *lf); active_response **ar; @@ -145,12 +180,15 @@ typedef struct _RuleNode RuleInfo *currently_rule; /* */ +RuleInfoDetail *zeroinfodetails(int type, char *data); +int get_info_attributes(char **attributes, char **values); + /* RuleInfo functions */ -RuleInfo *zerorulemember(int id, +RuleInfo *zerorulemember(int id, int level, - int maxsize, + int maxsize, int frequency, - int timeframe, + int timeframe, int noalert, int ignore_time, int overwrite); @@ -184,10 +222,10 @@ RuleNode *OS_GetFirstRule(); /** Defition of the internal rule IDS ** ** These SIGIDs cannot be used ** ** **/ - + #define STATS_MODULE 11 #define FTS_MODULE 12 -#define SYSCHECK_MODULE 13 +#define SYSCHECK_MODULE 13 #define HOSTINFO_MODULE 15